hxxps://varbyname[.]produceglobalsolutions[.]com/?mail=test@example[.]com&paths=aseu&type=Scan_104

General

Target

https://varbyname.produceglobalsolutions.com/[email protected]&paths=aseu&type=Scan_104
Sample

211008-qqdweaedhn

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{06F10791-2A97-11EC-AF2E-4208BF05CDF7} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b091e66748bcd701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "340513234"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "340464648"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "340481243"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007dce5df328d2b3428465887ea00eec2d00000000020000000000106600000001000020000000989d15b91021b5f07e37dd519a4022cdb6dedc5075ec3d75e07ebde57b23716d000000000e8000000002000020000000dcb1afd3da5940281a5a7edb8ba8ba2d4cac378f8fa39b5acf3a0c175d6de519200000006088ac3d045e6c104cd5c7d60c8cef8ee7b22370100ce96dcec80d867a62002740000000d25fb35a6dae4446030abbe3ea87eb43f7995a8ddc2f157db7f52383736eda00ea468114a086807f554b28e4673ba2fbdff807adc610b3374d8089b655eb44d4	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007dce5df328d2b3428465887ea00eec2d00000000020000000000106600000001000020000000c9fb1c4278ce4aab7cce92dcf928a4c1102e07f3d4d9ef00fa3b7f3c542c6e2b000000000e8000000002000020000000daf3d5b5945102ef7541dc262eab3715a10d32f3bfc91771b02065f0540b715a20000000b0f649db41c5284b162214cbed443ddc7184ef3e576814850beb70509b66f77040000000608671cbf366f65366d9ec0f522be70fb92da28181eb0fdfcacc8f6a72d1c135afcef6c4af3c3b93103d5c9b4db9fec58a1069f7b2176ca2274cfa631629ad87	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 509ea86748bcd701	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1720 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1720 iexplore.exe
1720 iexplore.exe
860 IEXPLORE.EXE
860 IEXPLORE.EXE

pid	process
1720	iexplore.exe

pid	process
1720	iexplore.exe
1720	iexplore.exe
860	IEXPLORE.EXE
860	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 1720 wrote to memory of 860	1720	iexplore.exe	IEXPLORE.EXE
PID 1720 wrote to memory of 860	1720	iexplore.exe	IEXPLORE.EXE
PID 1720 wrote to memory of 860	1720	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://varbyname.produceglobalsolutions.com/[email protected]&paths=aseu&type=Scan_104
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1720

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1720 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:860

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_34D61B4A2A4AE0D3DDAB879224BCA77B
MD5
ba3961893544ebeb549b25190f2c4ced

SHA1
6475218ff33bb63d6312e77bd051c1131dceb426

SHA256
01f6feeb4d134be35fa24055d1aae1b86f53d33d14b22a491302de093eb76279

SHA512
bfb4c62ca94c17e92c7fe144fe455b0dd8a249405915ef6b9d564cfe99fb97bc9407b83c822ae180138b1cd3ac64fc0b7a6f85301bd0ca296f6e7036331f1041

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2460612ECA41F1FB59672756A52E85F9
MD5
84038a7d2f2e9560baf33cc20005e1dc

SHA1
8133092c27025828031841cc8db68604ac44db11

SHA256
1daf62f444ad7ecc8357bc86f773f4db2095059bc6c2bb4c041f5eaa867f7df2

SHA512
65dec99a20b3a9e7c791488ae389fe9785222f86ee4dca3dcc8a5455c4b2e32a4e42ca389b9099c3fcefbec44105ccf67b7d375ed343dfa1914f974810538ab3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
8f439021290aa6bf8af3da275aeca450

SHA1
f52db4ca1c156995e612063ba10b68e19ce16d6d

SHA256
90d9d61871087772c554bd45271bb8c7f018e219b2bc692f08766ad6adec45f1

SHA512
599c96987d5ebf9c4546003265b6727a10787b048bfbf7662301776e345f7b7ba416a6df96dad63e31a96d77ef45f260dd81495d61dad215305593692425e5cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_34D61B4A2A4AE0D3DDAB879224BCA77B
MD5
87c838efb06fac7de1d50dd12a8ca008

SHA1
d811d15cd053b6e6d3091ae5cfa523087a8fa3cf

SHA256
907c74dd91b49c6ca2a2a948395d5d159dfd5cb8002f56ea15666cca894c7e6d

SHA512
c0350881e9cd38c7fb313a91cf5f226c88f05c9ec4fa6e4a40b17c5d77dca1b62efbac82d68b3a3047662efbe41dd9a6b4cd36d0800d8988225655a2c5dafe0a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2460612ECA41F1FB59672756A52E85F9
MD5
6074faf53b1b332cd8bf5e26fdde2b2f

SHA1
bd931ee6616420f4f19a1244aaf9d614af6da385

SHA256
81afe054102dfe8cf8da8f3fd0bf4161278a1e3a70e9b5676c5151756b710aee

SHA512
6a464698ea21675a2976aa8e5ed91987fd23e033294b99dcab46b9d55583268160cf742cc3fdd94b0994f372e345ecb7c3e2325744b9c0a584ca594061bb62ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
de31293ea4659e0fd4b578ac80f740c3

SHA1
b226b7dd13686b9f67ac6ea2c1fe27395e6628c1

SHA256
68894bf4e06a5875e069fb8b032c4e7d4c85e9ddf8446eeaca1e6aecd0ce01cf

SHA512
0056b3c417565b7105b4daf142d656d4db7ec36bd615bfe4baa629d97fb6c7cbadfe01fe6185b5f53c6d92e971843130c5768397d843d8c11880490e0a476e2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\26YE8RT1.cookie
MD5
b35181a5414ae1e70417539505ce09bc

SHA1
601d04a0563829654d26d69f087397551bd4ffde

SHA256
b240d16d9d4d116e9a958d4b5fa72de3f730d4533267bf5dcc55dbb5a6c78f63

SHA512
d4965f5e5a8af076361ecadad92b87415379d16d1abcf4d77abe3e630e28af3de4eea477dfdcf3be4e96c954dcfeb2cb3125cfba1c6d040bcb16926d7b0080e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\KC8ZWO5W.cookie
MD5
b64e6e5ff606ced8644a3a254c02cb6d

SHA1
bd2b726da3bf09e6cfd73e679b46034a8a36fdf8

SHA256
eec86d41e98e533dd3bfb17bb57eebc70e9678379a6ce567155ace3c05e4e2f8

SHA512
d55151f77fe3a17391021dc249387d6a19c885789ea46ba872c9fca7f1fcec4c2661cc7f251274ac06cfd57bbf105942f31f6d59699caeeabc18869425bd04ef

Download Submit
memory/860-140-0x0000000000000000-mapping.dmp

Download
memory/1720-142-0x00007FFEC8750000-0x00007FFEC87BB000-memory.dmp

Filesize
428KB

Download
memory/1720-149-0x00007FFEC8750000-0x00007FFEC87BB000-memory.dmp

Filesize
428KB

Download
memory/1720-122-0x00007FFEC8750000-0x00007FFEC87BB000-memory.dmp

Filesize
428KB

Download
memory/1720-124-0x00007FFEC8750000-0x00007FFEC87BB000-memory.dmp

Filesize
428KB

Download
memory/1720-123-0x00007FFEC8750000-0x00007FFEC87BB000-memory.dmp

Filesize
428KB

Download
memory/1720-125-0x00007FFEC8750000-0x00007FFEC87BB000-memory.dmp

Filesize
428KB

Download
memory/1720-127-0x00007FFEC8750000-0x00007FFEC87BB000-memory.dmp

Filesize
428KB

Download
memory/1720-129-0x00007FFEC8750000-0x00007FFEC87BB000-memory.dmp

Filesize
428KB

Download
memory/1720-128-0x00007FFEC8750000-0x00007FFEC87BB000-memory.dmp

Filesize
428KB

Download
memory/1720-131-0x00007FFEC8750000-0x00007FFEC87BB000-memory.dmp

Filesize
428KB

Download
memory/1720-132-0x00007FFEC8750000-0x00007FFEC87BB000-memory.dmp

Filesize
428KB

Download
memory/1720-133-0x00007FFEC8750000-0x00007FFEC87BB000-memory.dmp

Filesize
428KB

Download
memory/1720-134-0x00007FFEC8750000-0x00007FFEC87BB000-memory.dmp

Filesize
428KB

Download
memory/1720-136-0x00007FFEC8750000-0x00007FFEC87BB000-memory.dmp

Filesize
428KB

Download
memory/1720-137-0x00007FFEC8750000-0x00007FFEC87BB000-memory.dmp

Filesize
428KB

Download
memory/1720-138-0x00007FFEC8750000-0x00007FFEC87BB000-memory.dmp

Filesize
428KB

Download
memory/1720-141-0x00007FFEC8750000-0x00007FFEC87BB000-memory.dmp

Filesize
428KB

Download
memory/1720-120-0x00007FFEC8750000-0x00007FFEC87BB000-memory.dmp

Filesize
428KB

Download
memory/1720-144-0x00007FFEC8750000-0x00007FFEC87BB000-memory.dmp

Filesize
428KB

Download
memory/1720-145-0x00007FFEC8750000-0x00007FFEC87BB000-memory.dmp

Filesize
428KB

Download
memory/1720-147-0x00007FFEC8750000-0x00007FFEC87BB000-memory.dmp

Filesize
428KB

Download
memory/1720-121-0x00007FFEC8750000-0x00007FFEC87BB000-memory.dmp

Filesize
428KB

Download
memory/1720-150-0x00007FFEC8750000-0x00007FFEC87BB000-memory.dmp

Filesize
428KB

Download
memory/1720-151-0x00007FFEC8750000-0x00007FFEC87BB000-memory.dmp

Filesize
428KB

Download
memory/1720-155-0x00007FFEC8750000-0x00007FFEC87BB000-memory.dmp

Filesize
428KB

Download
memory/1720-156-0x00007FFEC8750000-0x00007FFEC87BB000-memory.dmp

Filesize
428KB

Download
memory/1720-157-0x00007FFEC8750000-0x00007FFEC87BB000-memory.dmp

Filesize
428KB

Download
memory/1720-163-0x00007FFEC8750000-0x00007FFEC87BB000-memory.dmp

Filesize
428KB

Download
memory/1720-164-0x00007FFEC8750000-0x00007FFEC87BB000-memory.dmp

Filesize
428KB

Download
memory/1720-165-0x00007FFEC8750000-0x00007FFEC87BB000-memory.dmp

Filesize
428KB

Download
memory/1720-166-0x00007FFEC8750000-0x00007FFEC87BB000-memory.dmp

Filesize
428KB

Download
memory/1720-167-0x00007FFEC8750000-0x00007FFEC87BB000-memory.dmp

Filesize
428KB

Download
memory/1720-168-0x00007FFEC8750000-0x00007FFEC87BB000-memory.dmp

Filesize
428KB

Download
memory/1720-169-0x00007FFEC8750000-0x00007FFEC87BB000-memory.dmp

Filesize
428KB

Download
memory/1720-170-0x00007FFEC8750000-0x00007FFEC87BB000-memory.dmp

Filesize
428KB

Download
memory/1720-171-0x00007FFEC8750000-0x00007FFEC87BB000-memory.dmp

Filesize
428KB

Download
memory/1720-119-0x00007FFEC8750000-0x00007FFEC87BB000-memory.dmp

Filesize
428KB

Download
memory/1720-117-0x00007FFEC8750000-0x00007FFEC87BB000-memory.dmp

Filesize
428KB

Download
memory/1720-116-0x00007FFEC8750000-0x00007FFEC87BB000-memory.dmp

Filesize
428KB

Download
memory/1720-115-0x00007FFEC8750000-0x00007FFEC87BB000-memory.dmp

Filesize
428KB

Download
memory/1720-172-0x00007FFEC8750000-0x00007FFEC87BB000-memory.dmp

Filesize
428KB

Download
memory/1720-176-0x00007FFEC8750000-0x00007FFEC87BB000-memory.dmp

Filesize
428KB

Download
memory/1720-175-0x00007FFEC8750000-0x00007FFEC87BB000-memory.dmp

Filesize
428KB

Download
memory/1720-177-0x00007FFEC8750000-0x00007FFEC87BB000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing